Summary
Yarner is an email worm that first appeared in the wild in Germany on 19th of February 2002. The worm is a PE EXE file 437 kilobytes long, it is written in Delphi and its code is not compressed.
Removal
To disinfect the worm it is enough to delete all its files from a hard drive and to delete all infected messages from email client's incoming email database. As some of worm's files have random names, they can be only found with F-Secure Anti-Virus and the latest updates.
You can download a trial version of F-Secure Anti-Virus with the latest updates from our website:
Http://www.europe.f-secure.com/download-purchase/
Install FSAV, apply the latest updates and scan your Windows directory for infection. When the worm's file is found, select 'Delete' disinfection action. Warning! If an infection is found in an email database, not in an EXE file, do NOT delete it as you will loose all your emails.
If a worm's file is locked and can't be deleted instantly, you will have to delete it from pure DOS (for Windows 9x systems) or rename it with a different extension (.EXA for example) with immediate system restart (for NT-based systems).
If an infection is found in your Windows ME or XP System Restore folder (usually '_Restore' directory), you will have to disable System Restore functionality of your Windows to avoid re-infection.
Finally rename NOTEDPAD.EXE back to NOTEPAD.EXE in Windows directory.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Seven variants of Yarner worm are currently known. They have the same functionality and the text of messages they spread with is the same too.
Being run, the worm installs itself to system. It copies itself with a random name, 'sdShdaaLEKJkasjhe.exe' for example, into Windows directory and creates a startup key in the Registry to make sure that it is always activated when Windows starts:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
The name of the key is random and its value contains the path to the worm's file in Windows directory. The worm also copies itself as NOTEPAD.EXE into Windows directory renaming the original Notepad file with NOTEDPAD.EXE name.
Then the worm starts to search for *.PHP, *.HTM, *.SHTM, *.CGI and *.PL files and looks for email addresses in them. The worm also checks Outlook Address Book for email addresses. The worm creates 2 files in Windows directory: KERNEI32.DAA and KERNEI32.DAS where it stores email addresses and SMTP server names.
After collecting email addresses, the worm gets SMTP server name from the Internet Account Manager data in the Registry and sends itself to all email addresses it could find with the following message:
From: webmaster@trojaner-info.de Subject: Trojaner-Info Newsletter Attachment: yawsetup.exe Body: Hallo ! Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de. Hier die Themen im Ueberblick: 1. YAW 2.0 - Unser Dialerwarner in neuer Version ************************************ 1. YAW 2.0 - Unser Dialerwarner in neuer Version Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter. Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak unter andreas@ants-online.de zur Verf?gung. Viel Spa? mit YAW! ************************************Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine angenehme Woche. Mit freundlichem Gruss Thomas Tietz & Andreas Ebert ************************************ Anzahl der Subscriber: 5.966 Durchschnittliche Besuchzahl/Tag: 4.488 Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine entsprechende email. ************************************
The 'From' field can contain an email of an infected user instead of 'webmaster@trojaner-info.de' email address.
After spreading the worm might (one chance out of ten) delete all files from a hard drive where Windows is installed.
F-Secure Anti-Virus detects all known variants of Yarner worm with updates published on 19th of February 2002.
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.